Sure, but how do you know the APK is the repository's source code? I can sign a malicious APK, and the signature will still be valid.
I simply do not know
Neither do I, which is why I'm skeptical of “open-source” apps and view them as a form of security theater: something that appears more secure but isn't. The worst thing that can happen is that, in the name of open source, an app developer accidentally publishes secrets, which allows an attacker to publish a malicious version of the app that leaks every user key. If I publish the source of my app, I will take care to ensure that the source code can't be built and released maliciously.